Public CA for secure clusters

This link https://www.cockroachlabs.com/docs/stable/create-security-certificates-custom-ca.html mentions using an “external public CA”.

However my understanding is that the authentication mechanism is somewhat limited, in that it trusts any incoming connection if the CN=node and is signed by the same CA, and the IP address is listed in the server node’s Subject Alternative Name fields.

ie: if we had a multi-cloud deployment with a public proxy to proxy replica connections and placed that IP in the Subject Alternative Name fields, and we used a public CA (ie: Let’s Encrypt), then anybody could join our cluster.

If this is correct there should be a large warning, or better wording to recommend against using public CA’s.

In theory you’re right, but in practice no public CA will give you a cert with CN=node. It’s only really possible to use public CAs for the UI certificate at this point. The docs could certainly be more clear about this; I’ve filed ana issue for this.

We’re also working on some improvements that would make it possible and safe to use other CAs including public ones.

Also, Letsencrypt (mentioned explicitly on that page) don’t issue certificates with IP address in the subjectAlternateName - although it’s possible they might in future.

More context linked from here.